Multifactor Authentication: Past, Present, and Future
Transcript of Multifactor Authentication: Past, Present, and Future
This document is confidential and is intended solely for use by its original recipient for informational purposes. Neither the document nor any of the information contained in this document may be reproduced or disclosed to other persons without the prior written approval of Scio Security, Inc.
Multifactor AuthenticationPast, Present, and Future
Jon Oberheide
CTO, Scio Security
Slide # 2Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
Audience Survey
1. How many currently deploy multifactor authentication (MFA) in some form?
2. How many have MFA on their roadmap for the next year?
3. How many would like to deploy MFA if they had unlimited time and resources?
Slide # 3Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
Agenda
• A Brief Intro to Multifactor Auth
• The DOs and DON'Ts of MFA
• Application to Real-World Incidents
• Wrap-up
Slide # 4Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
Credential Theft
1. We suck at naming!
2. Attackers have discovered that stealing user credentials is the path of least resistance into an organization.
Bots, RAT, APT, SAG, phishing, vishing, smishing, pharming, whaling, ...
Slide # 5Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
The Evolution of Threats
The integrity of your organization's credentials hinges on the ability for an attacker to make a 3-line modification to his configuration file.
Sophisticated credential stealing attack tools are now a commodity and are publicly available:
Snippet from the configuration file of a “Silent Banker” malware sample:
Slide # 6Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
Multifactor Authentication
• Multiple factors → increased security
• Factor classifications– “What you know”– “What you are”– “What you have”
Slide # 7Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
“What you know”
• Knowledge-based– “what you know”
• Common examples– Passwords
– Security questions
• Pros:– No special equipment
• Cons:– Easily phishable
– User memory burden
Slide # 8Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
Sarah Palin's Email
Slide # 9Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
Password Reset Nightmare
Slide # 10Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
“What you are”
• Biometrics– “what you are”
• Common examples– Fingerprint
– Voice recognition– Retina scan
• Pros:– No memory burden
• Cons:– Expensive equipment
– Often fails when subjectedto scrutiny (eg. Thinkpads)
Slide # 11Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
“What you have”
• Knowledge-based: too weak• Biometric: too expensive / unavailable
• What about a physical item you possess?• Example: ATM access
– Card (what you have) + PIN (what you know)
– Used to be an effective combination
Slide # 12Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
“What you have”
• Common examples– Digital certs– Smart cards
– USB tokens
– OTP generators
– ...
• Pros:– Should be resistant to
phishing, credential theft
• Cons:– Hardware can be costly
– You can lose the “what you have”
– Limited capabilitiesagainst advanced threats
Slide # 13Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
Enter Mobile Devices
• Why not use a mobile phone instead for MFA?– Adoption is soaring
(4.6 billion subscribers)
• No hardware costs– $50/user hardware token
vs. free software token
• Wide range of capabilities– OTP generator via mobile apps
– Out of band voice / SMS
– Persistent data connection → security, usability, TIV
Slide # 14Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
Agenda
• A Brief Intro to Multifactor Auth
• The DOs and DON'Ts of MFA
• Application to Real-World Incidents
• Wrap-up
Slide # 15Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
Properties of Good MFA
• Secure Against what threats?
Passive Phishing / Keyloggers
Soft / HardOTP Tokens
Active Phishing /Remote Access Trojans
Out of BandVoice / SMS
Threat MFA Defense
Man-in-the-Browser (MITB) Attacks
OOB w/Transaction Verification
Slide # 16Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
Raising the Security Bar
• Based on real threat models, not obfuscation
• Beware of security theater– Inconvenience != security
DO: Raise the bar for attackers
DON'T: Raise it an inch
Slide # 17Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
Raising the Security Bar
Good example:
• Mobile Auth Agent– Secure, real-time channel:
Desktop ↔ Mobile device
• Attacker must now– Compromise your desktop– Compromise your phone– Collude between the two devices
Slide # 18Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
Raising the Security Bar
Bad example: the bouncing keyboard
Slide # 19Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
Properties of Good MFA
• Secure
• Usable
Users are great at bypassing annoying security mechanisms.
Slide # 20Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
Make It Usable
• Give users flexibility– Based on preference,
environment, etc
DO: Make it usable by mere mortals
DON'T: Deploy MFA users can't understand
DumbDevice
SmartDevice
Offline
Online
Mobile Auth Agent
Hard Tokens
Soft Tokens
Voice/SMS
Slide # 21Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
Make It Usable
Good example: a choice of factors
Slide # 22Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
Make It Usable
Bad example: what is this I don't even...
Slide # 23Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
Properties of Good MFA
• Secure
• Usable
• Low supportburden and cost
Hopefully not the size of your help desk call center
Slide # 24Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
Easy on Admins
• Provisioning users with new/replacement tokens can be a costly pain
• On-premise equipment can be expensive, inflexible
DO: Reduce TCO with a low-touch service
DON'T: Swamp your help desk / support line
Slide # 25Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
Easy on Admins
VS.
Bad example:Good example:
Slide # 26Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
Agenda
• A Brief Intro to Multifactor Auth
• The DOs and DON'Ts of MFA
• Application to Real-World Incidents
• Wrap-up
Slide # 27Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
Case Studies
• Spear phishing for remote access
• Internal IT access control
• Protecting sensitive transactions
Slide # 29Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
Spear Phishing
Legitimate site or phishing site?
Slide # 30Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
Interesting Observations
• Email characteristics– umich.edu from address
– Legitimate looking weblogin/webmail URL
– UofM block-M logo
• Phishing site characteristics– Matches style of legitimate weblogin site
– Redirect to real weblogin after successful phish
• Customized, but widespread targets
Slide # 31Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
Attackers Getting Clever...
1. Attackers phish user credentials
2. Attackers use credentials to access off-campus VPN remote access services.
3. Attackers send spam via authenticated SMTP and internal UofM IPs
What's more interesting comes AFTER the phishing attack has succeeded.
These attackers have gained knowledge of specific University IT infrastructure.
Slide # 32Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
VPN Remote Access
• Traditional perimeter model– Physical boundary to internal network
• VPN perimeter model– VPN gateway acts as the new boundary– Inside perimeter tends to be more soft and
gooey...as much as we don't like to admit it
• Securing VPN remote access is key
Slide # 33Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
Multifactor Options?
• SSL VPNs are a great MFA integration point– Exposes a web interface to user– Allows for interaction, selection of factors
DEMO!
Slide # 34Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
Case Studies
• Spear phishing for remote access
• Internal IT access control
• Protecting sensitive transactions
Slide # 35Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
Internal IT Intrusions
“We are suffering the mother of all security incidents here...to the extent that when I came in this morning, I unplugged the fiber from our machine room. We had to destroy X in order to save it.”
- IT Administrator
Slide # 36Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
Post-Intrusion Forensics
• Entry point– ssh brute-force attempts– Weak user password
• Salt in the wound– Privilege escalation
– Trojaned ssh client and server
Slide # 37Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
Backdoored SSH
Backdoored ssh client and sshd server dumping user credentials to disk and sending to a remote address.
Slide # 38Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
Multifactor Options?
• How to protect internal servers?– PAM is a good integration point!
DEMO!
Slide # 39Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
Case Studies
• Spear phishing for remote access
• Internal IT access control
• Protecting sensitive transactions
Slide # 40Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
Sensitive Transactions
• Assume entry point is completely bypassed– eg. Cosign Weblogin vuln
• RO vs. RW mode– Allow common case of RO
– Challenge only upon sensitive RW operations
MFA doesn't have to be applied exclusively at a “login” stage.
Protection can instead be applied to individual sensitive transactions within an application.
Slide # 41Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
Direct Deposit Verification
Slide # 42Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
Multifactor Options?
• Confirmation email?– No, attacker can delete it
• Require a hard/soft token?– Depends on frequency of transaction
• Voice callback is a good fit here• Similar use cases:
– Password reset, account activation, etc
Slide # 43Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
Agenda
• A Brief Intro to Multifactor Auth
• The DOs and DON'Ts of MFA
• Application to Real-World Incidents
• Wrap-up
Slide # 44Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
Take-Aways
• Attackers focusing on users as the weakest link instead of exploiting apps/OS
• Knowledge-based authentication aloneis insufficient for protecting access
• Secure, usable, affordable MFA is possible– But beware the crazies!
Slide # 45Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010
Thank you
Jon Oberheide
@jonoberheide
http://sciosecurity.com
QUESTIONS?